Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

OSPF MD5 Key Rollover

I'm using MD5 auth on a virtual link and need to understand the key rollover process. I initially configured the routers (7206VXR, 12.4(15)T7) as follows:

R3:

router ospf 1

router-id 3.3.3.3

log-adjacency-changes

area 2 virtual-link 4.4.4.4 authentication message-digest

area 2 virtual-link 4.4.4.4 message-digest-key 1 md5 CISCO

R4:

router ospf 1

router-id 4.4.4.4

log-adjacency-changes

area 2 virtual-link 3.3.3.3 authentication message-digest

area 2 virtual-link 3.3.3.3 message-digest-key 1 md5 CISCO

The virtual link came up fine:

R3(config-router)#do sho ip ospf virt

Virtual Link OSPF_VL2 to router 4.4.4.4 is up

Run as demand circuit

DoNotAge LSA allowed.

Transit area 2, via interface Serial1/0.34, Cost of using 64

Transmit Delay is 1 sec, State POINT_TO_POINT,

Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

Hello due in 00:00:09

Adjacency State FULL (Hello suppressed)

Index 2/3, retransmission queue length 0, number of retransmission 0

First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)

Last retransmission scan length is 0, maximum is 0

Last retransmission scan time is 0 msec, maximum is 0 msec

Message digest authentication enabled

Youngest key id is 1

Then I changed the keys as follows:

R3(config-router)#area 2 virtual-link 4.4.4.4 message-digest-key 2 md5 CCIE

R4(config-router)#area 2 virtual-link 3.3.3.3 message-digest-key 2 md5 CCIE

On both routers:

show ip ospf vir

...

Rollover process begins....

Message digest authentication enabled

Youngest key id is 2

Rollover in progress, 1 neighbor(s) using the old key(s):

key id 1

Then I remove the old keys:

R3(config-router)#no area 2 virtual-link 4.4.4.4 message-digest-key 1

R4(config-router)#no area 2 virtual-link 3.3.3.3 message-digest-key 1

And I still see the rollover process in effect on both routers:

Message digest authentication enabled

Youngest key id is 2

Rollover in progress, 1 neighbor(s) using the old key(s):

The output is the same from both routers. My virtual link is still up and OSPF is functioning correctly. But why am I still getting this message?

A show run confirms that key 1 no longer exists:

router ospf 1

router-id 3.3.3.3

log-adjacency-changes

area 2 virtual-link 4.4.4.4 authentication message-digest

area 2 virtual-link 4.4.4.4 message-digest-key 2 md5 CCIE

network 3.3.3.3 0.0.0.0 area 0

network 30.3.3.3 0.0.0.0 area 2

network 131.1.23.3 0.0.0.0 area 0

network 131.1.34.3 0.0.0.0 area 2

router ospf 1

router-id 4.4.4.4

log-adjacency-changes

area 2 virtual-link 3.3.3.3 authentication message-digest

area 2 virtual-link 3.3.3.3 message-digest-key 2 md5 CCIE

network 4.4.4.4 0.0.0.0 area 2

network 40.4.4.4 0.0.0.0 area 4

network 131.1.34.4 0.0.0.0 area 2

network 131.1.45.4 0.0.0.0 area 4

Any ideas? thanks.

1 REPLY
Hall of Fame Super Silver

Re: OSPF MD5 Key Rollover

Hello Michael,

try to repeat the tests using

• debug ip ospf event

• debug ip ospf packet

• debug ip ospf hello

to see how the smooth change of key is implemented: the sending of two copies of each hellos one with key1 and one with key2.

Hope to help

Giuseppe

448
Views
0
Helpful
1
Replies